apiVersion: v1
kind: Namespace
metadata:
  name: cert-manager
  labels:
    certmanager.k8s.io/disable-validation: "true"

---
---
# Source: cert-manager/charts/cainjector/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cert-manager-cainjector
  namespace: "cert-manager"
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cainjector-v0.9.1

---
# Source: cert-manager/charts/webhook/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cert-manager-webhook
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.1

---
# Source: cert-manager/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cert-manager
  namespace: "cert-manager"
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.1

---
# Source: cert-manager/charts/cainjector/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: cert-manager-cainjector
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cainjector-v0.9.1
rules:
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["certificates"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["configmaps", "events"]
    verbs: ["get", "create", "update", "patch"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["apiregistration.k8s.io"]
    resources: ["apiservices"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "list", "watch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-cainjector
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cainjector-v0.9.1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-cainjector
subjects:
  - name: cert-manager-cainjector
    namespace: "cert-manager"
    kind: ServiceAccount
---
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: cert-manager-leaderelection
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.1
rules:
  # Used for leader election by the controller
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "create", "update", "patch"]

---

# Issuer controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: cert-manager-controller-issuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.1
rules:
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["issuers", "issuers/status"]
    verbs: ["update"]
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["issuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]

---

# ClusterIssuer controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: cert-manager-controller-clusterissuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.1
rules:
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["clusterissuers", "clusterissuers/status"]
    verbs: ["update"]
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["clusterissuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]

---

# Certificates controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: cert-manager-controller-certificates
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.1
rules:
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
    verbs: ["update"]
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["certificates", "certificaterequests", "clusterissuers", "issuers", "orders"]
    verbs: ["get", "list", "watch"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["certificates/finalizers"]
    verbs: ["update"]
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["orders"]
    verbs: ["create", "delete"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]

---

# Orders controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: cert-manager-controller-orders
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.1
rules:
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["orders", "orders/status"]
    verbs: ["update"]
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["orders", "clusterissuers", "issuers", "challenges"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["challenges"]
    verbs: ["create", "delete"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["orders/finalizers"]
    verbs: ["update"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]

---

# Challenges controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: cert-manager-controller-challenges
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.1
rules:
  # Use to update challenge resource status
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["challenges", "challenges/status"]
    verbs: ["update"]
  # Used to watch challenges, issuer and clusterissuer resources
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["challenges", "issuers", "clusterissuers"]
    verbs: ["get", "list", "watch"]
  # Need to be able to retrieve ACME account private key to complete challenges
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  # Used to create events
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
  # HTTP01 rules
  - apiGroups: [""]
    resources: ["pods", "services"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: ["extensions"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch", "create", "delete", "update"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["challenges/finalizers"]
    verbs: ["update"]
  # DNS01 rules (duplicated above)
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]

---

# ingress-shim controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: cert-manager-controller-ingress-shim
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.1
rules:
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["certificates", "certificaterequests"]
    verbs: ["create", "update", "delete"]
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["extensions"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["extensions"]
    resources: ["ingresses/finalizers"]
    verbs: ["update"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-leaderelection
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-leaderelection
subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-controller-issuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-issuers
subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-controller-clusterissuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-clusterissuers
subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-controller-certificates
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-certificates
subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-controller-orders
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-orders
subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-controller-challenges
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-challenges
subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-controller-ingress-shim
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-ingress-shim
subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cert-manager-view
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.1
    rbac.authorization.k8s.io/aggregate-to-view: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["certificates", "certificaterequests", "issuers"]
    verbs: ["get", "list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cert-manager-edit
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.1
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["certificates", "certificaterequests", "issuers"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]

---
# Source: cert-manager/charts/webhook/templates/rbac.yaml
### Webhook ###
---
# apiserver gets the auth-delegator role to delegate auth decisions to
# the core apiserver
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-webhook:auth-delegator
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- apiGroup: ""
  kind: ServiceAccount
  name: cert-manager-webhook
  namespace: cert-manager

---

# apiserver gets the ability to read authentication. This allows it to
# read the specific configmap that has the requestheader-* entries to
# api agg
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: cert-manager-webhook:webhook-authentication-reader
  namespace: kube-system
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
subjects:
- apiGroup: ""
  kind: ServiceAccount
  name: cert-manager-webhook
  namespace: cert-manager

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cert-manager-webhook:webhook-requester
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.1
rules:
- apiGroups:
  - admission.certmanager.k8s.io
  resources:
  - certificates
  - certificaterequests
  - issuers
  - clusterissuers
  verbs:
  - create

---
# Source: cert-manager/charts/webhook/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: cert-manager-webhook
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.1
spec:
  type: ClusterIP
  ports:
  - name: https
    port: 443
    targetPort: 6443
  selector:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller

---
# Source: cert-manager/charts/cainjector/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cert-manager-cainjector
  namespace: "cert-manager"
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cainjector-v0.9.1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cainjector
      app.kubernetes.io/name: cainjector
      app.kubernetes.io/instance:  cert-manager
      app.kubernetes.io/managed-by: Tiller
  template:
    metadata:
      labels:
        app: cainjector
        app.kubernetes.io/name: cainjector
        app.kubernetes.io/instance:  cert-manager
        app.kubernetes.io/managed-by: Tiller
        helm.sh/chart: cainjector-v0.9.1
      annotations:
    spec:
      serviceAccountName: cert-manager-cainjector
      containers:
        - name: cainjector
          image: {{ cert_manager_cainjector_image }}
          imagePullPolicy: IfNotPresent
          args:
          - --v=2
          - --leader-election-namespace=$(POD_NAMESPACE)
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          resources:
            {}
            

---
# Source: cert-manager/charts/webhook/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cert-manager-webhook
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: webhook
      app.kubernetes.io/name: webhook
      app.kubernetes.io/instance:  cert-manager
      app.kubernetes.io/managed-by: Tiller
  template:
    metadata:
      labels:
        app: webhook
        app.kubernetes.io/name: webhook
        app.kubernetes.io/instance:  cert-manager
        app.kubernetes.io/managed-by: Tiller
        helm.sh/chart: webhook-v0.9.1
      annotations:
    spec:
      serviceAccountName: cert-manager-webhook
      containers:
        - name: webhook
          image: {{ cert_manager_webhook_image }}
          imagePullPolicy: IfNotPresent
          args:
          - --v=2
          - --secure-port=6443
          - --tls-cert-file=/certs/tls.crt
          - --tls-private-key-file=/certs/tls.key
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          resources:
            {}
            
          volumeMounts:
          - name: certs
            mountPath: /certs
      volumes:
      - name: certs
        secret:
          secretName: cert-manager-webhook-webhook-tls

---
# Source: cert-manager/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cert-manager
  namespace: "cert-manager"
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cert-manager
      app.kubernetes.io/name: cert-manager
      app.kubernetes.io/instance:  cert-manager
      app.kubernetes.io/managed-by: Tiller
  template:
    metadata:
      labels:
        app: cert-manager
        app.kubernetes.io/name: cert-manager
        app.kubernetes.io/instance:  cert-manager
        app.kubernetes.io/managed-by: Tiller
        helm.sh/chart: cert-manager-v0.9.1
      annotations:
        prometheus.io/path: "/metrics"
        prometheus.io/scrape: 'true'
        prometheus.io/port: '9402'
    spec:
      serviceAccountName: cert-manager
      containers:
        - name: cert-manager
          image: {{ cert_manager_controller_image }}
          imagePullPolicy: IfNotPresent
          args:
          - --v=2
          - --cluster-resource-namespace=$(POD_NAMESPACE)
          - --leader-election-namespace=$(POD_NAMESPACE)
          - --default-issuer-name=letsencrypt-prod
          - --default-issuer-kind=ClusterIssuer
          ports:
          - containerPort: 9402
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          resources:
            requests:
              cpu: 10m
              memory: 32Mi
            

---
# Source: cert-manager/charts/webhook/templates/apiservice.yaml
apiVersion: apiregistration.k8s.io/v1beta1
kind: APIService
metadata:
  name: v1beta1.admission.certmanager.k8s.io
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.1
  annotations:
    certmanager.k8s.io/inject-ca-from: "cert-manager/cert-manager-webhook-webhook-tls"
spec:
  group: admission.certmanager.k8s.io
  groupPriorityMinimum: 1000
  versionPriority: 15
  service:
    name: cert-manager-webhook
    namespace: "cert-manager"
  version: v1beta1

---
# Source: cert-manager/charts/webhook/templates/pki.yaml
---
# Create a selfsigned Issuer, in order to create a root CA certificate for
# signing webhook serving certificates
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: cert-manager-webhook-selfsign
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.1
spec:
  selfSigned: {}

---

# Generate a CA Certificate used to sign certificates for the webhook
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: cert-manager-webhook-ca
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.1
spec:
  secretName: cert-manager-webhook-ca
  duration: 43800h # 5y
  issuerRef:
    name: cert-manager-webhook-selfsign
  commonName: "ca.webhook.cert-manager"
  isCA: true

---

# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: cert-manager-webhook-ca
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.1
spec:
  ca:
    secretName: cert-manager-webhook-ca

---

# Finally, generate a serving certificate for the webhook to use
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: cert-manager-webhook-webhook-tls
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.1
spec:
  secretName: cert-manager-webhook-webhook-tls
  duration: 8760h # 1y
  issuerRef:
    name: cert-manager-webhook-ca
  dnsNames:
  - cert-manager-webhook
  - cert-manager-webhook.cert-manager
  - cert-manager-webhook.cert-manager.svc

---
# Source: cert-manager/templates/servicemonitor.yaml


---
# Source: cert-manager/charts/webhook/templates/validating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
  name: cert-manager-webhook
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.1
  annotations:
    certmanager.k8s.io/inject-apiserver-ca: "true"
webhooks:
  - name: certificates.admission.certmanager.k8s.io
    namespaceSelector:
      matchExpressions:
      - key: "certmanager.k8s.io/disable-validation"
        operator: "NotIn"
        values:
        - "true"
      - key: "name"
        operator: "NotIn"
        values:
        - cert-manager
    rules:
      - apiGroups:
          - "certmanager.k8s.io"
        apiVersions:
          - v1alpha1
        operations:
          - CREATE
          - UPDATE
        resources:
          - certificates
    failurePolicy: Fail
    clientConfig:
      service:
        name: kubernetes
        namespace: default
        path: /apis/admission.certmanager.k8s.io/v1beta1/certificates
  - name: issuers.admission.certmanager.k8s.io
    namespaceSelector:
      matchExpressions:
      - key: "certmanager.k8s.io/disable-validation"
        operator: "NotIn"
        values:
        - "true"
      - key: "name"
        operator: "NotIn"
        values:
        - cert-manager
    rules:
      - apiGroups:
          - "certmanager.k8s.io"
        apiVersions:
          - v1alpha1
        operations:
          - CREATE
          - UPDATE
        resources:
          - issuers
    failurePolicy: Fail
    clientConfig:
      service:
        name: kubernetes
        namespace: default
        path: /apis/admission.certmanager.k8s.io/v1beta1/issuers
  - name: clusterissuers.admission.certmanager.k8s.io
    namespaceSelector:
      matchExpressions:
      - key: "certmanager.k8s.io/disable-validation"
        operator: "NotIn"
        values:
        - "true"
      - key: "name"
        operator: "NotIn"
        values:
        - cert-manager
    rules:
      - apiGroups:
          - "certmanager.k8s.io"
        apiVersions:
          - v1alpha1
        operations:
          - CREATE
          - UPDATE
        resources:
          - clusterissuers
    failurePolicy: Fail
    clientConfig:
      service:
        name: kubernetes
        namespace: default
        path: /apis/admission.certmanager.k8s.io/v1beta1/clusterissuers
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: {{ acme_server }}
    email: {{ acme_email }}
    privateKeySecretRef:
      name: letsencrypt-prod
    http01: {}